I downloaded the open source project Linphone, and build it accordingly, after building I imported the project in Eclipse and try some customisations in layouts, now I want to upload the app to Play store, but this error or rejection I received:
Hello Google Play Developer,
We rejected your app, with package name org.xxxxxx, for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.
Vulnerability APK Version(s) Portable SDK for UPnP Devices The vulnerabilities were fixed in libupnp v1.6.18 and higher. For more information and next steps, please see this Google Help Center article.
2511 To confirm you’ve upgraded correctly, submit the updated version of your app to the Developer Console and check back after five hours to make sure the warning is gone.
While these vulnerabilities may not affect every app that uses this software, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known security issues, even if you're not sure the issues are relevant to your app.
Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.
If you feel we have made this determination in error, please reach out to our policy support team.
How can I update the upnp sdk in linphone Android project and resolve this issue? i changed the files of libupnp in submodules/externals/build/libupnp with latest version files ,
but still this rejection is faced from updated version :
here is the build.gradle
EDITED
build.gradle
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'com.android.tools.build:gradle:1.0.0'
}
}
apply plugin: 'android'
dependencies {
compile fileTree(dir: 'libs', include: '*.jar')
}
android {
compileSdkVersion 22
buildToolsVersion "20.0.0"
sourceSets {
main {
manifest.srcFile 'AndroidManifest.xml'
java.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
resources.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
aidl.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
renderscript.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
res.srcDirs = ['res']
assets.srcDirs = ['assets']
jniLibs.srcDir 'libs'
java.exclude '**/mediastream/MediastreamerActivity.java'
}
// Move the tests to tests/java, tests/res, etc...
instrumentTest.setRoot('tests')
// Move the build types to build-types/<type>
// For instance, build-types/debug/java, build-types/debug/AndroidManifest.xml, ...
// This moves them out of them default location under src/<type>/... which would
// conflict with src/ being used by the main source set.
// Adding new build types or product flavors should be accompanied
// by a similar customization.
debug.setRoot('build-types/debug')
release.setRoot('build-types/release')
}
}
My code works simply fine, app doesn't crash. The logcat displays only verbose information. So what's the problem with libupnp versions? Google Play are simply not accepting my app, even though I removed libpnp files from submodules, run the app on device, found it works great, then update version code, generated signed apk, then upload version on Google Play developer. They reply to say they are refusing to publish because libpnp contains vulnerability; however my project doesn't contains any file of libupnp.
This is what they reffered to: support.google.com/faqs/answer/6346109; I did all the upgrades but still refusal. I deleted file of upnp library in project, removed the referenced code for libupnp from the project, but still they say your app is vulnerable. Surely when there are no files in the project and no code, then there is no vulnerability?
答案 0 :(得分:2)
不幸的是,liblinphone本身包含易受攻击的库。
截至2016年2月2日,从linphone.org下载linphone-latest.apk并在里面搜索显示
UPnP/1.0, Portable SDK for UPnP devices/1.6.17
除非他们更新,否则除了要求他们更新之外,你无能为力。
答案 1 :(得分:0)
好的家伙我已经解决了问题,并在这里放置了我自己的问题的答案,我所要做的就是从git下载更新的文件,在互联网上轻松找到,然后我不得不重建项目,最新版本linphone的libupnp v1.6.9可以避免漏洞。所以现在完全没有问题。
答案 2 :(得分:0)
@ Addi.Star感谢您分享信息。我检查了这个问题,发现他们将Upnp Lib更新为1.6.19,并在upnpconfig.h中进行了评论 库版本(字符串),例如“1.3.0” UPNP_VERSION_STRING“1.6.19” 我用过它并更新了子模块。比我用LinPhone发布的最新版本的SDK编译它,但该应用仍然被拒绝。 LinPhone还建议我使用Lib和更新子模块但是当Lib版本本身定义1.6.19时没有任何帮助